Supervision release 14 May 2018 – 30/2018

EU Network and Information Systems Directive implemented nationally on 9 May 2018

On 6 July 2017, the European Parliament and the Council provided Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (so-called NIS Directive). National legislation under the Directive and obligations imposed by it enter into force on 9 May 2018. First and foremost, the obligations are concerned with companies critical for the supply of service and key digital service providers.

​The general objective of the Directive is to enhance the level of security against network and information security breaches, risks and threats. The purpose is to achieve a high level of network and information system security within the EU by improving preparedness at the national level, enhancing EU-level cooperation and by providing risk management and reporting obligations to essential service providers and certain digital service providers.
Member states are obliged to determine the essential providers by sector established in their jurisdiction, which are active in the sectors belonging to the scope of application of the Directive.

As regards the financial service, essential service providers comprise credit institutions1 and financial market infrastructures2. In practice, there is currently such infrastructure provider in Finland, Nasdaq Helsinki Ltd.

The new legislation obliges service providers to notify,without undue delay, the competent authority or the CSIRT of information security threats and breaches having a significant impact on the continuity of essential services they provide. Notifications shall include information enabling the competent authority to determine any cross-border impact of the incident.

Financial sector participants have been under obligations corresponding to the requirements of the Directive already before the entry into force of the new legislation to arrange operational risk management and ICT systems security and to notify network and information security breaches. The entry into force of the NIS Directive does not change or introduce new obligations, but the regulations and guidelines previously provided by the FIN-FSA on the management and reporting of operational risk remain in force. Notifications on network and information security breaches are always made to the FIN-FSA. Providers of financial sector services may additionally choose to submit a notification to the CSIRT (Finnish Communications Regulatory Agency).

Link to the regulations and guidelines:

Regulations and guidelines 8/2014 Management of operational risk in supervised entities of the financial sector

For further information please contact:

  • Anne Nisén, Senior Risk Expert, tel. +358 9 183 5211, anne.nisen(at)
  • Heli Mäkitalo, Risk Expert, tel. +358 9 183 5369, heli.makitalo(at)

1 Credit institutions, as defined in Article 4(4)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council.

2 Operators of trading venues as defined in Article 4(24) of Directive 2014/65/EU of the European Parliament and of the Council and central counterparties as defined in Article 2(1) of Regulation No 648/2012 of the European Parliament and of the Council.

The corresponding Finnish-language supervision release was published on 8 May 2018.